INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-1,10.128.15.197' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 37.909508] ================================================================== [ 37.916946] BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0 [ 37.923941] Write of size 8 at addr ffff8801bfe0b6c8 by task syzkaller307436/3041 [ 37.931532] [ 37.933135] CPU: 0 PID: 3041 Comm: syzkaller307436 Not tainted 4.13.0+ #71 [ 37.940115] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.949443] Call Trace: [ 37.952021] dump_stack+0x194/0x257 [ 37.955626] ? arch_local_irq_restore+0x53/0x53 [ 37.960265] ? show_regs_print_info+0x65/0x65 [ 37.964739] ? __kernel_text_address+0xae/0xe0 [ 37.969297] ? __internal_add_timer+0x275/0x2d0 [ 37.973950] print_address_description+0x73/0x250 [ 37.978767] ? __internal_add_timer+0x275/0x2d0 [ 37.983412] kasan_report+0x24e/0x340 [ 37.987189] __asan_report_store8_noabort+0x17/0x20 [ 37.992177] __internal_add_timer+0x275/0x2d0 [ 37.996662] ? calc_wheel_index+0x200/0x200 [ 38.000991] mod_timer+0x622/0x15b0 [ 38.004596] ? mod_timer_pending+0x14e0/0x14e0 [ 38.009149] ? __lock_is_held+0xbc/0x140 [ 38.013194] ? __lock_is_held+0xbc/0x140 [ 38.017228] ? __lockdep_init_map+0xe4/0x650 [ 38.021611] ? lockdep_init_map+0x3d/0x70 [ 38.025730] ? rcu_read_lock_sched_held+0x108/0x120 [ 38.030717] ? init_timer_key+0x126/0x3b0 [ 38.034843] ? try_to_del_timer_sync+0x120/0x120 [ 38.039573] ? round_jiffies_up+0xce/0x100 [ 38.043784] ? __round_jiffies_up_relative+0x150/0x150 [ 38.049029] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 38.053930] ? selinux_tun_dev_alloc_security+0x124/0x170 [ 38.059453] __tun_chr_ioctl+0x1b2c/0x3d70 [ 38.063684] ? tun_select_queue+0x580/0x580 [ 38.067997] ? lock_downgrade+0x990/0x990 [ 38.072139] ? check_same_owner+0x320/0x320 [ 38.076431] ? __handle_mm_fault+0x3840/0x3840 [ 38.080989] ? vmacache_find+0x61/0x270 [ 38.084940] ? tun_chr_compat_ioctl+0x30/0x30 [ 38.089403] tun_chr_ioctl+0x2a/0x40 [ 38.093091] ? tun_chr_ioctl+0x2a/0x40 [ 38.096951] do_vfs_ioctl+0x1b1/0x1530 [ 38.100814] ? ioctl_preallocate+0x2b0/0x2b0 [ 38.105197] ? selinux_capable+0x40/0x40 [ 38.109233] ? putname+0xf3/0x130 [ 38.112662] ? do_sys_open+0x320/0x6d0 [ 38.116532] ? security_file_ioctl+0x7d/0xb0 [ 38.120934] ? security_file_ioctl+0x89/0xb0 [ 38.125347] SyS_ioctl+0x8f/0xc0 [ 38.128797] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 38.133551] RIP: 0033:0x443d99 [ 38.136723] RSP: 002b:00007ffed87db588 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 [ 38.144408] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000443d99 [ 38.151651] RDX: 00000000206f8000 RSI: 00000000400454ca RDI: 0000000000000004 [ 38.158892] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 38.166132] R10: 0000000000000000 R11: 0000000000000202 R12: 309d815b0389dc7e [ 38.173371] R13: 74656e2f7665642f R14: 0000000000000000 R15: 0000000000000000 [ 38.180628] [ 38.182234] Allocated by task 3041: [ 38.185837] save_stack_trace+0x16/0x20 [ 38.189789] save_stack+0x43/0xd0 [ 38.193209] kasan_kmalloc+0xad/0xe0 [ 38.197237] __kmalloc_node+0x47/0x70 [ 38.201006] kvmalloc_node+0x64/0xd0 [ 38.204697] alloc_netdev_mqs+0x16e/0xed0 [ 38.208841] __tun_chr_ioctl+0x12be/0x3d70 [ 38.213045] tun_chr_ioctl+0x2a/0x40 [ 38.216728] do_vfs_ioctl+0x1b1/0x1530 [ 38.220583] SyS_ioctl+0x8f/0xc0 [ 38.223928] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 38.228651] [ 38.230249] Freed by task 3041: [ 38.233498] save_stack_trace+0x16/0x20 [ 38.237441] save_stack+0x43/0xd0 [ 38.240864] kasan_slab_free+0x71/0xc0 [ 38.244726] kfree+0xca/0x250 [ 38.247809] kvfree+0x36/0x60 [ 38.250973] free_netdev+0x2cf/0x360 [ 38.254655] __tun_chr_ioctl+0x2d30/0x3d70 [ 38.258861] tun_chr_ioctl+0x2a/0x40 [ 38.262558] do_vfs_ioctl+0x1b1/0x1530 [ 38.266420] SyS_ioctl+0x8f/0xc0 [ 38.269759] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 38.274479] [ 38.276078] The buggy address belongs to the object at ffff8801bfe082c0 [ 38.276078] which belongs to the cache kmalloc-16384 of size 16384 [ 38.289049] The buggy address is located 13320 bytes inside of [ 38.289049] 16384-byte region [ffff8801bfe082c0, ffff8801bfe0c2c0) [ 38.301239] The buggy address belongs to the page: [ 38.306141] page:ffffea0006ff8200 count:1 mapcount:0 mapping:ffff8801bfe082c0 index:0x0 compound_mapcount: 0 [ 38.316086] flags: 0x200000000008100(slab|head) [ 38.320730] raw: 0200000000008100 ffff8801bfe082c0 0000000000000000 0000000100000001 [ 38.328583] raw: ffffea00074f9a20 ffffea0007315a20 ffff8801dac02200 0000000000000000 [ 38.336430] page dumped because: kasan: bad access detected [ 38.342106] [ 38.343704] Memory state around the buggy address: [ 38.348608] ffff8801bfe0b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.355935] ffff8801bfe0b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.363265] >ffff8801bfe0b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.370609] ^ [ 38.376290] ffff8801bfe0b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.383618] ffff8801bfe0b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.390945] ================================================================== [ 38.398269] Disabling lock debugging due to kernel taint [ 38.403773] Kernel panic - not syncing: panic_on_warn set ... [ 38.403773] [ 38.411098] CPU: 0 PID: 3041 Comm: syzkaller307436 Tainted: G B 4.13.0+ #71 [ 38.419551] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.428869] Call Trace: [ 38.431424] dump_stack+0x194/0x257 [ 38.435026] ? arch_local_irq_restore+0x53/0x53 [ 38.439663] ? vprintk_default+0x28/0x30 [ 38.443689] ? __internal_add_timer+0x1a0/0x2d0 [ 38.448322] panic+0x1e4/0x417 [ 38.451483] ? __warn+0x1d9/0x1d9 [ 38.454906] ? __internal_add_timer+0x275/0x2d0 [ 38.459549] kasan_end_report+0x50/0x50 [ 38.463491] kasan_report+0x137/0x340 [ 38.467261] __asan_report_store8_noabort+0x17/0x20 [ 38.472242] __internal_add_timer+0x275/0x2d0 [ 38.476704] ? calc_wheel_index+0x200/0x200 [ 38.480997] mod_timer+0x622/0x15b0 [ 38.484598] ? mod_timer_pending+0x14e0/0x14e0 [ 38.489151] ? __lock_is_held+0xbc/0x140 [ 38.493183] ? __lock_is_held+0xbc/0x140 [ 38.497213] ? __lockdep_init_map+0xe4/0x650 [ 38.501600] ? lockdep_init_map+0x3d/0x70 [ 38.505713] ? rcu_read_lock_sched_held+0x108/0x120 [ 38.510696] ? init_timer_key+0x126/0x3b0 [ 38.514812] ? try_to_del_timer_sync+0x120/0x120 [ 38.519534] ? round_jiffies_up+0xce/0x100 [ 38.523734] ? __round_jiffies_up_relative+0x150/0x150 [ 38.528975] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 38.533869] ? selinux_tun_dev_alloc_security+0x124/0x170 [ 38.539374] __tun_chr_ioctl+0x1b2c/0x3d70 [ 38.543580] ? tun_select_queue+0x580/0x580 [ 38.547871] ? lock_downgrade+0x990/0x990 [ 38.551996] ? check_same_owner+0x320/0x320 [ 38.556289] ? __handle_mm_fault+0x3840/0x3840 [ 38.560842] ? vmacache_find+0x61/0x270 [ 38.564783] ? tun_chr_compat_ioctl+0x30/0x30 [ 38.569249] tun_chr_ioctl+0x2a/0x40 [ 38.572926] ? tun_chr_ioctl+0x2a/0x40 [ 38.576778] do_vfs_ioctl+0x1b1/0x1530 [ 38.580633] ? ioctl_preallocate+0x2b0/0x2b0 [ 38.585006] ? selinux_capable+0x40/0x40 [ 38.589032] ? putname+0xf3/0x130 [ 38.592449] ? do_sys_open+0x320/0x6d0 [ 38.596308] ? security_file_ioctl+0x7d/0xb0 [ 38.600681] ? security_file_ioctl+0x89/0xb0 [ 38.605056] SyS_ioctl+0x8f/0xc0 [ 38.608394] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 38.613115] RIP: 0033:0x443d99 [ 38.616270] RSP: 002b:00007ffed87db588 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 [ 38.623952] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000443d99 [ 38.631193] RDX: 00000000206f8000 RSI: 00000000400454ca RDI: 0000000000000004 [ 38.638437] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 38.645674] R10: 0000000000000000 R11: 0000000000000202 R12: 309d815b0389dc7e [ 38.652911] R13: 74656e2f7665642f R14: 0000000000000000 R15: 0000000000000000